Generic filters
Exact matches only
Search in title
Search in content
Filter by Custom Post Type
Filter by Categories

What is the Python-based Legion Credential Attack?

Researchers at Cado Labs discovered a new Python-based hacking tool called Legion being distributed on Telegram. Known for its low detection rate on VirusTotal, this modular tool can be utilized by cybercriminals to hack into online services.

The Legion hacking tool targets and exfiltrates data from insecure web servers. It uses a scraping tool to search SHODAN for misconfigured cloud servers and vulnerable SMTP servers. Once identified, Legion can compromise these servers and use them for further attacks like phishing and spam campaigns.

Note that Legion is not exploiting newly discovered vulnerabilities. The tool focuses its attack vector against known vulnerabilities and host misconfigurations.

What Happened?

Legion threat actors performed various malicious activities like server enumeration, remote code execution, memory-related vulnerabilities, brute-forcing accounts, interacting with search engines, abusing AWS services, creating admin users, implanting webshells, and sending spam SMS messages targeting US customers.


“The malware scans for and extracts Laravel application secrets from exposed user environment variables (.env) files. It targets various services for credential theft, including payment API functions, AWS console credentials (specifically SNS, S3, and SES), Mailgun, and database/CMS platforms.”


The malware has impacted carriers such as AT&T, Sprint, and T-Mobile.

The Source of The Legion Hacking Tool

Little is known about Legion malware, but the creators are believed to have enhanced features from AndroxGh0st and Alienfox. The Legion tool uses open-source tools to find vulnerabilities, including executing email phishing or spam attacks. These email phishing attacks became the method to access the target networks.


The researchers have yet to identify the definitive source of Legion. However, security researchers discovered several Indonesian-language comments on the YouTube channel suggesting the possible creator of the malware may be Indonesian. Additionally, references to a user with the handle “my13gion” in the Telegram Group have provided clues to its source.

Recommendations to Protect Your Organization

Organizations should actively review their security processes and make sure credentials are stored securely. 


  • If credentials are stored in a.env file, they should be kept in directories that are inaccessible from the web.
  • The Legion hacking tool is ultimately a credential-harvesting tool and malware. Deploying cloud-based AI-enabled email security tools will help prevent phishing attacks and malware like Legion while reducing the organization’s attack surface. 
  • Organizations utilizing cloud providers like AWS and Microsoft Azure should review and audit their shared responsibility obligations outlined in the terms of use for those platforms to ensure proper configuration of their web servers to help prevent malware outbreaks. 

Credential theft continues to be a major cyber attack, as seen with the recent discovery of the Legion. It’s crucial to regularly review and secure corporate data, especially credentials and user information. 

1 comment

fitspresso complaints consumer reports March 16, 2024 - 23:10

Thank you for sharing your personal experiences and stories It takes courage to open up and you do it with such grace and authenticity


Leave a Comment



Cubic Lighthouse is a cybersecurity publication dedicated to demystifying security, making news actionable, providing deeper thinking about the fundamentals of security, and providing decision-makers and the community at large with the right information to make the right decisions. We will also feature more technical articles and provide personal/family security advice.

©2024 Cubic Consulting, a Smart Security Company for your Business – All Rights Reserved.